Function openTrade
lacks incorrect-payment sanity checks
Description
The function openTrade
is called in order to open both market and limit orders. Opening a market order requires paying the Pyth oracle fee in ETH and a valid priceUpdateData
. Opening a limit order means the caller needs to pay an additional _executionFee
.
However, for both market and limit orders, the value sent with the transaction is not checked. If a user accidentally sends more value than is needed for the Pyth update or sends any value with a limit transaction, it will be stuck in the contract.
Also, for market orders, the _executionFee
parameter is still added to the amount of USDC transferred from the user, but then the variable is not used anywhere else, so the funds remain stuck in the Trading contract.
Impact
User error while calling the openTrade
function can cause USDC or ETH to be locked.
Recommendations
Ensure that the value sent with the transaction is correct, whether or not the Pyth oracle is consulted. Ensure that the _executionFee
is not taken from the user if they open a market order, or revert if it is nonzero on a market order.
Remediation
The remediation for Finding ref removed immediately-executing open orders.